CVE-2017-14032

moderate-risk
Published 2017-08-30

ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (20)

Affected Vendors

Arm

References (10)

http://www.debian.org/security/2017/dsa-3967
Issue Tracking https://bugs.debian.org/873557
Issue Tracking https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb...
Issue Tracking https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591...
Vendor Advisory https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-...
http://www.debian.org/security/2017/dsa-3967
Issue Tracking https://bugs.debian.org/873557
Issue Tracking https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb...
Issue Tracking https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591...
Vendor Advisory https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-...
46
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 0/34 · Minimal
Exposure 22/34 · High